Account creation possible via API when SSO_ACCOUNT_SIGN_UP is set

[ThisIsMissEm]

Steps to reproduce the problem

Using:

SSO_ACCOUNT_SIGN_UP=http://localhost:9000/register

1. Create an OAuth App with write:accounts scope
2. Create a Client Credential grant type Access Token with scope write:accounts, using the client_id and client_secret from step 1.
3. Send a request to POST http://localhost:3000/api/v1/accounts with:

   {
     "username": "testbyapp2",
     "password": "test1234678",
     "email": "[email protected]",
     "agreement": true,
     "locale": "en-US",
     "reason": "test account"
   }

4. Observe that the account was created successfully (see description for "problem")

Note: I'm not using OMNIAUTH_ONLY=true, which would prevent this API from being usable. The use-case here is that I don't want to do SSO via OAUTH, I just want to direct users to a different registration flow.

Expected behaviour

Account should maybe not be able to be created?

Actual behaviour

Account is created

Detailed description

The use case here is that I want to direct users to a specific website to signup, such that I can give them an additional onboarding experience beyond the stock mastodon experience.

Whilst in the current implementation, it's not technically a bug, it does mean that mobile apps could bypass this additional onboarding experience.

I think the solution here is to allow a server owner to set value like: API_REGISTRATION_TOKEN and verify that that matches when calling Api::V1::AccountsController#create

This allows for something to still create accounts via the API, but prevents non-authorised parties from creating accounts via the API, instead forcing them to use and respect the registrations.url presented in /api/v2/instance, instead of bypassing it.

Mastodon instance

local development server

Mastodon version

main

Technical details

If this is happening on your own Mastodon server, please fill out those:

• Ruby version: v3.4.1
• Node.js version: v22